Evolution of the situation

During the last month, we gained 3 paid work hours: we’re now at 61 hours per month sponsored by 28 organizations and we have one supplementary sponsor in the pipe that should bring 4 more hours.

The increase is not very quick but seems to be steady. Hopefully at some point, we will have enough resources to do a more exhaustive job. For now, the paid contributors handle in priority the most popular packages used by the sponsors and there are some packages in the end of the queue which have open security issues for months already (example: CVE-2012-6685 on libnokogiri-ruby).

In terms of security updates waiting to be handled, the situation looks a little bit worse than last month: the dla-needed.txt file lists 40 packages awaiting an update (3 more than last month), the list of open vulnerabilities in Squeeze shows about 58 affected packages in total (5 less than last month). We are getting a bit more effective with CVE triage.

A logo for the LTS project?

Every time that I write an LTS report, I remember that it would be nice if my LTS related articles could feature a nice picture/logo that reminds people of the LTS team/initiative. Is there anyone up for the challenge of creating that logo?

My monthly report covers a large part of what I have been doing in the free software world. I write it for my donators (thanks to them!) but also for the wider Debian community because it can give ideas to newcomers and it’s one of the best ways to find volunteers to work with me on projects that matter to me.

Debian LTS

This month I have been paid to work 14.5 hours on Debian LTS. I worked mostly on CVE triage (41 commits in the security tracker) and organizational issues. One maintainer complained that he had not been kept in the loop for an LTS update of his package. After some discussion, I decided to change the way I did CVE triage so that any time that I add a package to our list of packages needing an update, I also send a mail to the maintainer, thus offering him the opportunity to step in.

To make this sustainable, I wrote a small helper script that will generate a mail out of a template. And to kickstart the process I mailed all maintainers of packages that were already listed in our queue of packages to update.

To improve the email generated, I requested a JSON export of the security tracker data (see discussions in #761859). In the mean time, Holger worked on this already and after a few iterations we did converge on an output format that will be really useful both for my needs in terms of CVE triage but also for the Package Tracker to be able to display the list of security vulnerabilities affecting each release (see #761730).

Last but not least, I don’t want to be the only one doing CVE triage for our LTS release so I documented the process in our wiki page.

As a side note, I sponsored an e2fsprogs update prepared by Nguyen Cong and I sent the DLA for the embargoed samba update that had been prepared by Ivo de Decker (thanks to both of them!).

Tryton

Like last month, I invested again a copious amount of time on Tryton, fixing some bugs that were affecting me and improving the French chart of accounts to properly manage purchases and sales within the European Union. Here are some links for more details:

Debian

I did some work on Distro Tracker, I fixed #777453 (password reset not working because the generated email was using an invalid From email) and #779247 (obsolete build reproducibility action items were not dropped). I also started to work on restructuring the mail handling in distro-tracker (cf #754913) but it’s not public yet.

While I have no plans to stop contributing to Debian (it’s part of my day job!), I reduced my non-work related involvement by officially recognizing that I was no longer properly assuming some of my responsibilities and that I was following too many mailing lists and RSS feeds. The most notable changes are that I removed myself from the maintenance of dpkg, developers-reference, quilt, sql-ledger, and a few perl/python modules.

Misc

Voting software. Part of the reason why I’m reducing my involvement in Debian is that I got more involved in Nouvelle Donne (a French political party) and in particular in the handling of its digital infrastructure (currently running on Ubuntu, doh!). As part of this, I was looking for free software to handle secure votes and elections (and if possible adhering to the principles of liquid democracy). There’s no perfect solution and no clear winner.

That said I started following the evolution of AgoraVoting because it seems to have a good momentum and has some interesting features (it already supports votes with ranked choices, supports good crypto, has been used for elections involving large numbers of voters in the context of Podemos in Spain). But it still has some ways to go to establish itself as a truly international and community-backed project.

GDM bug. Due to my work on Kali, I filed a bug against GDM (this one has been quickly fixed upstream, it’s still open in Debian) and another one against accountsservice to request the possibility to define the default graphical session.

Dirvish formula for Salt. I contributed another formula to manage backups with dirvish.

Like each month, here comes a report about the work of paid contributors to Debian LTS. Individual reports In January, 48 work hours have been equally split among 4 paid contributors. Their reports are available: Ben Hutchings Holger Levsen Raphaël Hertzog Thorsten Alteholz Evolution of the situation During the last month, the number of paid […]

Like each month, here comes a report about the work of paid contributors to Debian LTS. Individual reports In December 46 work hours have been equally split among 4 paid contributors (note that Thorsten and Raphaël have actually spent more hours because they took over some hours that Holger did not do over the former […]

Like each month, here comes a report about the work of paid contributors to Debian LTS. Individual reports In November 42.5 work hours have been equally split among 3 paid contributors. Their reports are available: Thorsten Alteholz did his share as usual. Raphaël Hertzog worked 18 hours (catching up the remaining 4 hours of October). […]